SEC505: Securing Windows with the Critical Security Controls

This is my fifth SANS course. Jason is exceptionally hard working instructor who adds tremendous value with his unrestricted contributions to the community.

Matthew Wheeler, Los Alamos Natl Lab

If you think you know Windows, take this Windows security class - your review of your own skills and understanding will be challenged, for the better!

Matthew Stoeckle, Nebraska Public Power District

SECURITY 505: Securing Windows with the Critical Security Controls

How can we defend against pass-the-hash attacks, administrator account compromise, and the lateral movement of hackers inside our networks? How do we actually implement the Critical Security Controls on Windows in a large environment? How can we significantly reduce the client-side exploits that lead to advanced persistent threat malware infections? We tackle these tough problems in SEC505: Securing Windows with the Critical Security Controls.

Understanding how penetration testers and hackers break into networks is not the same as knowing how to design defenses against them, especially when you work in a large and complex Active Directory environment. Knowing about tools like Metasploit, Cain, Netcat, and Poison Ivy is useful, but there is no simple patch against their abuse. The goal of this course is to show you ways to defend against both current Windows attack techniques and the likely types of attacks we can expect in the future. This requires more than just reactive patch management - we need to proactively design security into our systems and networks. That is what SEC505 is about.

Your adversaries want to elevate their privileges to win control over your servers and domain controllers, so a major theme of this course is controlling administrative powers through Group Policy hardening and PowerShell scripting. Learning PowerShell is probably the single best new skill for Windows users, especially with the trend toward cloud computing. Most of your competition in the job market lacks scripting skills, so knowing PowerShell is a great way to make your resume stand out. This course devotes an entire day to PowerShell, but we start with the basics so you do not need any prior scripting experience.

This is a fun course and a real eye-opener, even for Windows administrators with years of experience. If you wish, you can get the PowerShell scripts now for this course from http://cyber-defense.sans.org/blog (go to the Downloads link). All of the tools are in the public domain.

Course Syllabus

SEC505.1: Windows Operating System and Applications Hardening

Overview

The best analogy for modern network penetration is biological warfare. The hacker exploits a vulnerable client through weak software and social engineering in order to install malware. The malware opens an SSL command-and-control channel back to the attacker. This channel is used to control the initial "Typhoid Mary" computer to infect other vulnerable systems and exfiltrate (or destroy) valuable data. When you add stealth, self-updating features, worm-like mobility, and corporate/government sponsorship to the malware, you have an Advanced Persistent Threat (APT) situation. You are in trouble.

We do not just want to detect hackers and malware, we want to try to prevent the case-zero compromise from ever happening. Prevention comes first, then detection and remediation. Today's course covers prevention through Windows operating system and applications hardening. The aim is to deny hackers and malware that initial foothold inside the network, because once they are in, they are hard to clean out.

We start by choosing malware-resistant software and Windows operating systems, then we regularly update that software, limit what software users can run, and configure that software so that its exploitable features are disabled or at least restricted to work-only purposes. Nothing is guaranteed, of course, but what if you could reduce your malware infection rate by more than half? What if your next penetration test was not an exercise in embarrassment?

The trick is hardening Windows in a way that is cost-effective, scalable, and minimally effects users. We will look at tools like EMET and Group Policy to make that process easier. As throughout the week, today's section will also look at how to implement many of the Critical Security Controls.

Overview

This course section continues the theme of resisting malware and APT adversaries, but with a special focus on securing the keys to the kingdom: administrative power. If a member of the Domain Admins group is compromised, the entire network is lost. How can we better prevent the compromise of administrative accounts and contain the harm when they do get compromised? What can we do about pass-the-hash and token abuse attacks? Remember, as a network administrator, you are a high-value target and your adversaries will try to take over your user account and infect the computers you use at work (and at home).

Hackers also love it when "regular" users are members of the local Administrators group on their computers because it makes it easier to compromise those computers and then move laterally to other machines. We will talk about what is so dangerous about the Administrators group, how to get users out of that group while still allowing them to get their work done, and, if we just cannot get users out of Administrators, then how to make User Account Control (UAC) less annoying to them...and us.

We will also see how to delegate authority in Active Directory (AD). Every object in AD has a set of permissions and audit settings. We do not have to dump everyone in the IT department into the Domain Admins group; we can delegate the power to perform tasks like resetting passwords, joining computers to the domain, and managing the attributes used by Dynamic Access Control.

Finally, patch management is critically important for securing a Windows environment, but it can be expensive difficult, and tedious. So we will talk about how to make patching Microsoft and third-party software easier, especially on BYOD and mobile devices outside the local network.

CPE/CMU Credits: 6

Topics

Compromise of Administrative Powers

Why hackers and malware love administrative users

Partially limiting pass-the-hash and token abuse

How to get users out of the administrators group

Secretly limiting the power of administrative users

Limiting privileges, logon rights and permissions

User Account Control (making it less annoying)

Picture password on touch tablets

Windows Credential Manager versus KeePass

Active Directory Permissions and Delegation

Active Directory permissions

Active Directory auditing

Delegating authority at the OU level

Why domains are not security boundaries

Logging attribute content changes

Updating Vulnerable Software

Everything must be patched every week

Patching off-site tablets and laptops

Identifying rogue devices (BYOD)

WSUS shortcomings

WSUS third-party enhancements

Windows App Store (Metro)

The future: continuous updates

SEC505.3: Windows PKI, BitLocker and Secure Boot

Overview

Public Key Infrastructure (PKI) is not an optional security service anymore. Windows Server includes a complete built-in PKI for managing certificates and making their use transparent to users. You can be your own private Certification Authority (CA) and generate as many certificates as you want at no extra charge. It is all centrally managed through Group Policy.

Digital certificates play an essential role in Windows security: IPSec, BitLocker, S/MIME, SSL/TLS, smart cards, script signing, etc. all use digital certificates. Everything needed to roll out a smart card solution, for example, is included with Windows except for the cards and readers themselves, and generic cards are available in bulk for cheap. You might already have a smart card built into your motherboard as a TPM chip.

As more and more of our servers are pushed up to cloud-hosting providers, and as more of our devices become mobile, certificate authentication and encryption will become more necessary. Even our BYOD tablets and phones will eventually need certificates.

We also have to encrypt our laptops and portable drives to stay in compliance, but why spend a fortune on third-party products when BitLocker is built into Windows already? BitLocker is manageable through Group Policy and from the command line. BitLocker has automatic encryption key archival features for recovery, requires little or no user training, and can be used to encrypt portable USB drives.

If you have a TPM chip in your motherboard, it can help BitLocker detect rootkits, but a TPM is not required for BitLocker. Even better, with UEFI firmware you could also use UEFI Secure Boot to help detect bootkits and other malware too.

CPE/CMU Credits: 6

Topics

Why Have Public Key Infrastructure?

Strong authentication and encryption

Passwords are dead

Smart cards, IPSec, wireless, SSL, S/MIME, etc.

Mobile and BYOD computers

Code and document signing

How to Install the Windows PKI

Root versus subordinate certification authorities

Should you be your own root CA?

Custom certificate templates

Controlling certificate enrollment

How to Manage Your PKI

Group Policy deployment of certificates

Group Policy PKI settings

How to revoke certificates

Automatic private key backup

Credential roaming of keys

Delegation of authority

Deploying Smart Cards

Everything you need is built in

TPM virtual smart cards

Smart card enrollment station

Group policy deployment

Smart cards on a limited budget

BitLocker Drive Encryption and Secure Boot

UEFI Secure Boot

TPM boot integrity checking

Cold boot and 1394 port attacks

USB device encryption

Mounting encrypted VHD files

BitLocker emergency recovery

BitLocker network unlock of the PIN

SEC505.4: IPSec, Windows Firewall, DNS, and Wireless

Overview

IPSec is not just for VPNs. IPSec can authenticate users in Active Directory to implement share permissions for TCP and UDP ports based on the user's global group memberships. IPSec can also encrypt packet payloads to keep data secure. Imagine configuring the Windows Firewall on your servers and tablets to only permit access to your RPC or SMB ports if (1) the client has a local IP address,( 2) the client is authenticated by IPSec to be a member of the domain, and (3) the packets are all encrypted with 256-bit AES. This is not only possible, it is actually relatively easy to deploy with Group Policy. This course section will show exactly how to do this.

For in-depth defense, we can no longer rely on just our perimeter firewalls. Many of our devices are mobile, so they are not protected by our perimeter firewalls anyway. You do not need to purchase third-party host-based firewalls like we did for Windows XP. The new Windows Firewall is a vast improvement and can be managed through Group Policy. For BYOD computers, the firewall and IPSec settings can also be scripted.

DNSSEC digitally signs DNS records to prevent spoofing and man-in-the-middle attacks. Fortunately, it is much easier to manage DNSSEC in Server 2012 and later. This course section will also examine how to require DNS secure dynamic updates, set permissions on DNS records in Active Directory, use the DNS sinkhole technique to frustrate malware, and use IPSec with DNS queries.

There is much more to wireless security than getting rid of WEP. Windows Server includes a built-in RADIUS service that can be used to regulate access to your wireless access points, managed Ethernet switches, and VPN gateways. Everything you need for a WPA2 wireless network solution, including certificate-based PEAP authentication, is built into Windows for free, and we will show you how to set it all up, step-by-step, including the PKI.

CPE/CMU Credits: 6

Topics

Why IPSec?

IPSec is not just for VPNs!

More secure than SSL

User/computer authentication

Transparent to users

No user training required

NIC hardware acceleration

Compatible with NAT

Creating IPSec Policies

Require versus prefer encryption

Share permissions on TCP ports

IDS/IPS compatibility options

IPSec-based encrypted VLANs

Group Policy management

Scripting for BYOD stand-alones

Windows Firewall

Group Policy management

Metro app and service awareness

Roaming and VPN compatibility

Deep IPSec integration

NETSH and PowerShell scripting

Securing Wireless Networks

Wi-Fi Protected Access (WPA2)

Pre-shared key weaknesses

DoS attack vulnerabilities

Rogue access point detection

BYOD and network bridging

Wireless best practices

RADIUS for Wireless and Ethernet

Certificate authentication and PKI

How to use smart cards

EAP versus PEAP

PEAP-MS-CHAPv2

802.1X for Ethernet switches

Account lockout DoS attacks

Group Policy configuration of clients

SEC505.5: Server Hardening and Dynamic Access Control

Overview

What are the best practices for hardening servers, especially servers exposed to the Internet? How can we remotely manage our servers in a secure way, especially our virtualized servers hosted by third-party cloud providers? If you have Internet-exposed servers, how can you more safely make them Active Directory domain members? If you have service accounts or scheduled jobs running as Domain Admin, what are the risks and what can you do about it? This section of the course is all about server hardening.

Are you using SSL/TLS, NTLM, Remote Desktop Protocol (RDP) or the File and Print Sharing protocol (SMB/CIFS)? These protocols and their listening ports are hacker favorites, but we often cannot live without them, so we will see how to make these and other protocols more resilient against attacks.

Windows Server 2012 introduced a major new security enhancement called Dynamic Access Control (DAC). If you have millions of files spread across multiple servers, how can you manage access to and auditing of these ever-changing files? How can we avoid relying on NTFS permissions and NTFS auditing alone?

DAC allows you to label files with such classifications as "Top Secret" or "PII," then apply restrictions and auditing based on these hidden file tags. But it is not done with AD group memberships and NTFS alone. DAC is not an NTFS management system, there is much more to it. With your own custom user and computer attributes defined in Active Directory, you can implement a Data Loss Prevention (DLP) solution based on "claims" associated with your users and their various devices. You can also perform auditing this way to help comply with regulations in your industry.

DAC works best with Server 2012 and Windows 8, but Windows 8 is not required. Even Windows XP clients can benefit. DAC is not just for file servers, it can also be extended to other platforms such as SharePoint, Rights Management Services (RMS), and Exchange. Finally, DAC is not a single tool or service, it is a new access control system with ties into the kernel.

CPE/CMU Credits: 6

Topics

Dangerous Server Protocols

Eliminate SSL, only use TLS

Requiring strong ciphers and keys

RDP man-in-the-middle attacks

SMBv3 native encryption

SMB downgrade attacks

NTLM, NTLMv2, and Kerberos

Kerberos armoring

Hardening the protocol stack

What about IPv6?

Server Hardening

Server Manager and PowerShell

Server Core/Minimal/Full

Security templates and Group Policy

Preparing for incidents: pre-forensics

Service account security

Scheduling tasks remotely and safely

Internet-Exposed Member Servers

Not every server can be a stand-alone

Active Directory for the DMZ or the cloud

Cross-forest trusts and Selective Authentication

Read-only domain controllers (RODC)

Firewall design for DMZ or cloud member servers

Dynamic Access Control (DAC)

Claims-based access control and auditing

DAC does not require Windows 8

DAC conditional expressions

DAC and complying with regulations

Automatic file classification infrastructure

User and device identity restrictions

Auditing without managing SACLs

Central access policy deployment

SEC505.6: Windows PowerShell Scripting

Overview

In the Windows world, everything is (thankfully) moving toward PowerShell, which is Microsoft's object-oriented command shell and scripting language. Virtually everything can be managed from the command line and scripts now, and automation is very important for implementing the Critical Security Controls. Server 2012-R2, for example, has over 3,000 PowerShell tools for nearly everything, including Active Directory, IIS, Exchange, SharePoint, System Center, AppLocker, Hyper-V, firewall rules, event logs, remote command execution, and much more.

PowerShell takes the best features of UNIX shells, like ksh and bash, and then blows them out of the water. What is the big deal? PowerShell rides on top of the .NET Framework. Hence, COM objects and the entire .NET class library are available at the command prompt. When you execute commands, the output is not text, it is a stream of objects with properties and methods, just like in C#. You can even build and run graphical programs written entirely in PowerShell.

What about managing older systems and software? PowerShell can access scriptable COM objects just like VBScript and JavaScript. So while VBScript gives you COM, PowerShell gives you both .NET and COM.

And PowerShell is easier than other languages to learn when you are first getting started. This course assumes you have no prior scripting experience. We will walk through all the essentials of PowerShell together. And if you are already familiar with Perl or C#, then the PowerShell syntax will not be foreign to you. Most importantly, be prepared to have fun - PowerShell is just plain cooooooool...

CPE/CMU Credits: 6

Topics

Overview and Security

What is PowerShell?

Why should you learn it?

Why is everything in Windows getting PowerShell-ized?

Signing scripts and execution policy

Getting Around Inside PowerShell

Built-in help system

Built-in graphical editor

Aliases for CMD and bash users

Running cmdlets, functions, and scripts

Piping objects instead of text

Using properties and methods of objects

Example Commands

PowerShell remoting

Active Directory scripting

Searching event logs

Parsing nmap XML output

Write Your Own Scripts

Writing your own functions

Flow control: if-then, do-while, foreach, switch

Accessing COM objects like in VBScript

How to pipe data in/out of scripts

Windows Management Instrumentation (WMI)

What is WMI and why is it so powerful?

WMI queries and remote command execution

Searching remote event logs faster

Inventory installed software

Sample scripts to walk through together

Additional Information

Laptop Required

Please bring a virtual machine running an evaluation version Windows Server 2012 R2, Datacenter or Standard, installed with a full GUI (not Core). During the course we will install Active Directory, Certificate Services, RADIUS (NPS), IIS, WSUS, and other services and tools. You will use the virtual machine throughout the week to follow along with the instructor demos.

Please note that without a virtual machine running Windows Server, you will only be able to watch the instructor demonstrate the exercises and you will not be able to follow along on your own computer, which is half the fun!

Where can I get the free evaluation version of Windows Server 2012 R2?

You can download a free trial version of Windows Server 2012 R2 from Microsoft as an ISO image file (an ISO file is an exported copy of a CD/DVD disk). Just do an internet search on "site:microsoft.com windows server trial eval" to find the download link to the ISO file on Microsoft's web site.

Bring the ISO file with you on your hard drive when you attend the course.

How should my virtual machine be configured?

Other than simply creating the Windows Server virtual machine, there is nothing else to configure. Everything else will be done during the training.

Please install Windows Server 2012 R2 in your virtual machine. You can use either the Standard or Datacenter Edition, either one works fine.

When you install the virtual machine, choose the "Server with a GUI" version of Windows Server, not the "Core" version. If you install the "Core" version, you will only get a CMD command shell when you log into the virtual machine. If you accidentally install the "Core" version, delete it and install a new virtual machine choosing the "Server with a GUI" version instead.

Bring the ISO file with you on your hard drive when you attend the training.

If I install Windows Server directly on the laptop, do I need a virtual machine?

No, if you install Windows Server directly onto your laptop, you do not need to also install a virtual machine with Windows Server. However, make sure to use either the evaluation version or a license-activated version of Windows Server (activate in the System applet in the Control Panel).

VMware prompts me for a license number or I get a license error message!

Make sure you have the evaluation version of Windows Server, not the retail version.

When creating the virtual machine in VMWare, it is best to choose the option that says "I will install the operating system later" and then provide the path to the ISO file for Windows Server after the virtual machine has been created, not during the initial creation. After the virtual machine has been created, go to the Settings of that virtual machine and provide the path to the source ISO file. Now, when you start the virtual machine, there should be no evaluation licensing problems.

Questions?

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Use Active Directory permissions and Group Policy to safely delegate administrative authority in a large enterprise to better cope with token abuse, pass-the-hash, service/task account hijacking, and other advanced attacks.

Install and manage a full Windows PKI, including smart cards, Group Policy auto-enrollment, and detection of spoofed root CAs.

Configure BitLocker drive encryption with a TPM chip using graphical and PowerShell tools.

Harden SSL, RDP, DNSSEC, and other dangerous protocols using Windows Firewall and IPSec rules managed through Group Policy and PowerShell scripts.

Install the Windows RADIUS server (NPS) for PEAP-TLS authentication of 802.11 wireless clients and for hands-free client configuration through Group Policy.

Learn how to automate security tasks on local and remote systems with the PowerShell scripting language and remoting framework.

Press & Reviews

"You will know and be confident how to enable Windows PKI after taking this course. I had no practical experience but plenty of theory. The instructor broke down the pros and cons of the whole process. Excellent!!" - Othello Swanston. DTRA-DOD

"If you think you know Windows, take this Windows security class - your review of your own skills and understanding will be challenged, for the better!!" - Matthew Stoeckle, Nebraska Public Power District

Author Statement

The courses I write for SANS are always guided by two questions: 1) What do administrators need to know to secure their networks? and 2) What should administrators learn to advance their careers as IT professionals? I am neither a Microsoft employee nor a Microsoft basher, so you will not get either kind of propaganda here. My concern is with the health of your network and your career. As a security consultant, I have seen it all (good, bad, and ugly), and my experience goes into the manuals I write for SANS and the stories I tell in seminar. The Securing Windows course is packed with interesting and useful advice that is hard to find on the Internet. We always have a good time, so I hope to meet you at the next training event!